Merge pull request #22 from conjurinc/support-encrypted-ebs-base

Support encrypted ebs base
conjurinc · Jan 4, 2024 · 32ae33a · 32ae33a
2 parents 4680616 + eb66c4c
commit 32ae33a
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 6 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -2,7 +2,9 @@
 ---
 driver:
   name: ec2
-  security_group_ids: ['sg-45fdda28']
+  security_group_ids: ['sg-0892691752769d8ec']
+  subnet_id: subnet-3202bb0e
+  vpc_id: vpc-36803e50
   region: us-east-1
   aws_ssh_key_id: test-kitchen
   require_chef_omnibus: false

diff --git a/Dockerfile.testkitchen b/Dockerfile.testkitchen
@@ -1,4 +1,4 @@
-FROM mesosphere/aws-cli
+FROM alpine:latest
 MAINTAINER Jason Vanderhoof <[email protected]>
 
 ENV BUILD_DEPENDENCIES libffi-dev openssl ca-certificates linux-headers
@@ -8,13 +8,14 @@ ENV RUBY_PACKAGES ruby ruby-dev ruby-rdoc ruby-irb build-base ruby-io-console
 # At the end, remove the apk cache
 RUN apk update && \
     apk upgrade && \
+    apk add aws-cli && \
     apk add $BUILD_DEPENDENCIES && \
     apk add $RUBY_PACKAGES && \
     rm -rf /var/cache/apk/*
 
 RUN update-ca-certificates
 
-RUN gem install test-kitchen kitchen-ec2 berkshelf:6.3.2 rspec-retry --no-document
+RUN gem install test-kitchen kitchen-ec2 berkshelf rspec-retry --no-document
 
 RUN mkdir -p /src
 ENTRYPOINT []
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -6,6 +6,7 @@ pipeline {
   options {
     timestamps()
     buildDiscarder(logRotator(numToKeepStr: '30'))
+    lock resource: "appliance-ami-creation"
   }
 
   parameters {
@@ -19,9 +20,15 @@ pipeline {
   stages {
     stage('Create the AMI') {
       steps {
+        sh "summon ./ebs_encryption.sh disable us-east-1"
         sh "./build-ami.sh ${params.IMAGE}"
         archiveArtifacts artifacts: 'AMI,ami-*', fingerprint: true
       }
+      post {
+        always {
+          sh "summon ./ebs_encryption.sh enable us-east-1"
+        }
+      }
     }
 
     stage('Smoke test the AMI') {

diff --git a/bootstrap.sh b/bootstrap.sh
@@ -9,7 +9,7 @@ echo "Waiting for container to be ready (TODO switch to polling)"
 sleep 60
 
 echo "Fetching instance hostname..."
-hostname=$(curl -s http://169.254.169.254/latest/meta-data/public-hostname)
+hostname=$(curl -s http://169.254.169.254/latest/meta-data/hostname)
 password=TestingAMI-12!
 orgaccount=kitchen
 

diff --git a/build-ami.sh b/build-ami.sh
@@ -32,9 +32,9 @@ export PACKER_LOG=1
 summon docker run \
     -v $(pwd):/opt/ \
     --env-file @SUMMONENVFILE -e AMI \
-    hashicorp/packer:light build -var "appliance_image_tag=$TAG" /opt/packer.json | tee packer.out
+    hashicorp/packer:full build -var "appliance_image_tag=$TAG" /opt/packer.json | tee packer.out
 
 # write the AMI ID to files for smoke tests archiving
-ami_id=$(tail -2 packer.out | head -2 | awk 'match($0, /ami-.*/) { print substr($0, RSTART, RLENGTH) }')
+ami_id=$(tail -3 packer.out | head -2 | awk 'match($0, /ami-.*/) { print substr($0, RSTART, RLENGTH) }')
 echo -n "$ami_id" > AMI
 touch $ami_id
diff --git a/ebs_encryption.sh b/ebs_encryption.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -eou pipefail
+
+REGION="us-east-1"
+ACTION="enable"
+
+if [ $# -gt 0 ] && [[ -n $1 ]]; then
+  if [[ "$1" == "enable" ]]; then
+    ACTION="$1"
+  elif [[ "$1" == "disable" ]]; then
+    ACTION="$1"
+  else
+    echo "Unknown action $1, must be one of enable | disable"
+    exit 1
+  fi
+fi
+
+if [ $# -gt 1 ] && [[ -n $2 ]]; then
+  REGION="$2"
+fi
+
+summon docker run --rm --env-file @SUMMONENVFILE \
+  amazon/aws-cli ec2 --region "$REGION" $ACTION-ebs-encryption-by-default
diff --git a/packer.json b/packer.json
@@ -14,6 +14,8 @@
     "region": "us-east-1",
     "source_ami": "{{user `source_ami`}}",
     "instance_type": "{{user `instance_type`}}",
+    "vpc_id": "vpc-36803e50",
+    "subnet_id": "subnet-f10c2cb8",
     "ssh_username": "ec2-user",
     "ami_name": "CyberArk-DAP-{{user `appliance_image_tag`}}-{{timestamp}}",
     "launch_block_device_mappings": [{